New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DTLS 1.2 broken in version 1.77; handshake finished sends hello_request instead of change_cipher_spec and finished #1595
Comments
Sequence example from RFC 5764 sequenceDiagram
participant X as Client
participant Y as Server
X->>Y: ClientHello
Y->>X: ServerHello
Y-->>X: Certificate
Y-->>X: ServerKeyExchange
Y-->>X: CertificateRequest
Y->>X: ServerHelloDone
X-->>Y: Certificate
X-->>Y: ClientKeyExchange
X-->>Y: CertificateVerify
X->>Y: ChangeCipherSpec
X->>Y: Finished
Y->>X: ChangeCipherSpec
Y->>X: Finished
Actual sequence in bctls 177 / 1.77 sequenceDiagram
participant X as Client
participant Y as Server
X->>Y: ClientHello
Y->>X: ServerHello
Y-->>X: Certificate
Y-->>X: ServerKeyExchange
Y-->>X: CertificateRequest
Y->>X: ServerHelloDone
X-->>Y: Certificate
X-->>Y: ClientKeyExchange
X-->>Y: CertificateVerify
X->>Y: HelloRequest
|
Truncated log output: From the client end after we've received the Send handshake
Sent handshake Send handshake org.bouncycastle.tls.DTLSRecordLayer - send - buf: 1400000c000400000000000cb998963f6464e0fc82e4e1f0 Send
org.bouncycastle.tls.DTLSRecordLayer - sendRecord - contentType: 22 buf: 1400000c000400000000000cb998963f6464e0fc82e4e1f0 Send handshake
|
There is a bug in
DtlsRecordLayer.send(byte[] buf, int off, int len)
link when called with aHandshakeType.finished
does not sendchange_cipher_spec
norfinished
and instead only sendshello_request
. This prevent an DTLS client implementations from connecting to a DTLS 1.2 servers.In
DTLSClientProtocol
around line 326 is where the call initiates:Also in addition to this issue in the same class, I believe there is a typo at line 101 where the commented out line is actually more correct (
if
works wherewhile
does not):Reference https://datatracker.ietf.org/doc/html/rfc4346#section-7.4.9
The text was updated successfully, but these errors were encountered: